django-DefectDojo icon indicating copy to clipboard operation
django-DefectDojo copied to clipboard
verified publisher icon DefectDojo

Integration Tests: Check for exceptions at build time

Open Maffooch opened this issue 1 year ago • 4 comments

In the event of an exception in the docker/install_chrome_dependencies.py file at build time, the exception should not be swallowed, and instead raised to prevent unit tests from churning needlessly

[sc-7194]

Maffooch avatar Aug 20 '24 15:08 Maffooch

DryRun Security Summary

The code change in this pull request is a script that identifies missing dependencies for the Chrome browser in a Docker environment, logs the missing packages, and helps prevent potential security vulnerabilities or stability problems.

Expand for full summary

Summary:

The code change in this pull request is part of a script that identifies missing dependencies for the Chrome browser when running in a Docker environment. The script uses the ldd command to find missing dependencies, and then searches for the corresponding packages using the apt-file command. The script logs the list of missing packages to assist in resolving the dependencies.

From an application security perspective, this change is focused on ensuring the correct dependencies are installed for the Chrome browser, which is a critical component for many web applications. By identifying and resolving missing dependencies, the script helps prevent potential issues related to missing libraries or outdated dependencies, which could lead to security vulnerabilities or stability problems. The code appears to be well-structured and handles errors appropriately, but there are a few areas for potential improvement, such as adding more robust error handling and extending the script to automatically install the missing packages.

Files Changed:

  • docker/install_chrome_dependencies.py: This script is responsible for identifying missing dependencies for the Chrome browser when running in a Docker environment. The key changes include:
    1. Using the ldd command to identify the dependencies of the /opt/chrome/chrome binary and parsing the output to find any missing dependencies.
    2. Using the apt-file command to search for the corresponding package that provides the missing library, filtering out packages that are likely not the main library.
    3. Logging the list of missing packages to assist in resolving the dependencies.

Overall, this code change is focused on improving the reliability and security of the Chrome browser deployment in a Docker environment, which is an important aspect of application security.

Code Analysis

We ran 9 analyzers against 1 file and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

:green_circle: Risk threshold not exceeded.

View PR in the DryRun Dashboard.

dryrunsecurity[bot] avatar Aug 20 '24 15:08 dryrunsecurity[bot]

This test was ran when we knew integration tests would fail, and the error was still not caught earlier.. It seems like more attention is needed on this one

Maffooch avatar Aug 23 '24 21:08 Maffooch

This is the type of error I would except to see when searching for dependencies fails image

I will now pull the latest dev images. I know those will build correctly, so if the tests are successful with this changes with solid containers, than I believe we will be good here

Maffooch avatar Aug 28 '24 17:08 Maffooch

Looks like I will need to spend more time on this solution...

Maffooch avatar Aug 28 '24 17:08 Maffooch

@cneill I swapped in the dynamic chrome version fetching and the builds still failed. The interesting part is that the script is working sorta as expected? ldd is not failing this time, but some dependencies are still not appearing to be pulled in

#18 [build  9/17] RUN   missing_chrome_deps=$(python install_chrome_dependencies.py) &&   apt-get -y install $missing_chrome_deps
#18 0.101 Reading package lists...
#18 0.507 Building dependency tree...
#18 0.614 Reading state information...
#18 0.731 0 upgraded, 0 newly installed, 0 to remove and 13 not upgraded.
#18 DONE 0.7s

#19 [build 10/17] RUN apt-get install -y libxi6 libgconf-2-4 jq libjq1 libonig5 libxkbcommon0 libxss1 libglib2.0-0 libnss3   libfontconfig1 libatk-bridge2.0-0 libatspi2.0-0 libgtk-3-0 libpango-1.0-0 libgdk-pixbuf2.0-0 libxcomposite1   libxcursor1 libxdamage1 libxtst6 libappindicator3-1 libasound2 libatk1.0-0 libc6 libcairo2 libcups2 libxfixes3   libdbus-1-3 libexpat1 libgcc1 libnspr4 libgbm1 libpangocairo-1.0-0 libstdc++6 libx11-6 libx11-xcb1 libxcb1 libxext6   libxrandr2 libxrender1 gconf-service ca-certificates fonts-liberation libappindicator1 lsb-release xdg-utils

That seems out of the scope of this PR. Does the current implementation of check the error codes of ldd satisfy your request?

Maffooch avatar Sep 17 '24 21:09 Maffooch